On Mon, Dec 01, 2003 at 06:08:28PM +0100, Eduard Bloch wrote:
> Kinda off-topic but nowhere in the discussion the question of checking
> already installed files was adressed and it should be asked:
md5sums and signatures are most useful in the context of installation.
Post-installation, you cannot be guaranteed that an intrusion rootkit
doesn't compromise the md5sum files themselves. Using the installed
*.md5sum files to check the integrity gives you a false sense of
security unless those *.md5sum files are signed or CRC'd as well.
Regardless, using md5sums of selected files does not identify files that
are not part of that set.
A true IDS is needed, such as aide, tripwire, or cfengine to detect
post-installation intrusion. Tie in aide or tripwire database
checks/updates with the apt.conf "PostInst" option in addition to a
daily cronjon to ensure the database is updated in a timely manner.
For install-time integrity checking, GnuPG signatures or the existing
chain of md5sum and signed Release files should be sufficient without
adding undue complexity. Integration of debsigs would be a welcome
addition to dpkg. Folling it's creation, does anyone have a case study
or success story hailing the usefulness of debsigs?
--
Chad Walstrom <chewie@wookimus.net> http://www.wookimus.net/
assert(expired(knowledge)); /* core dump */
Attachment:
pgpunRRsMqSFn.pgp
Description: PGP signature